AsTech stands behind its work with a simple guarantee: if your company is breached through a source code vulnerability we miss, we'll pay up to $5M in breach related costs.
Subject to the terms and conditions described below and the service agreement by and between AsTech and Customer (“Service Agreement”), in the event AsTech fails to report to Customer a Covered Vulnerability (to be defined) and such vulnerability is exploited by a third-party to cause a Material Harm (to be defined), Customer will be eligible for (i) a refund of the remaining, unused portion of the fees paid to AsTech that correspond to a Customer Web Application covered by a Paragon subscription as specifically identified in an applicable Service Order (“Covered Application”) and (ii) reimbursement of actual expenses that directly result from such Material Harm up to a maximum amount not to exceed Five Million Dollars US ($5,000,000) for each Covered Application. Such refund and reimbursement shall be referred to collectively herein as the "Payments".
Paragon Coverage / Customer Responsibilities
For each Paragon subscription purchased, subject to the terms and conditions described below, Customer shall be eligible for the Payments and, during the term of such subscription, shall receive the following for each Covered Application:
The following terms and conditions (“Covered Terms”) apply to Paragon:
To qualify for the Payments, an Application must be covered by a Paragon work order at the time its security is compromised (as described below), and such compromise must (i) be the direct result of a Covered Vulnerability that AsTech failed to report to Customer prior to the applicable Incident (an “Incident”). The alleged compromise must have resulted in Material Harm to the Customer. “Material Harm” must include at least one of the following:
(i) breach of a security system as defined under Delaware Code tit. 6 Sect. 12B-101 et seq,
(ii) public disclosure of confidential business information or
(iii) end-user account take over.
To apply for a claim, a written confidential Incident report (the “Incident Report”) must be submitted to AsTech customer support (i) within thirty (30) days after the date the Customer discovers the Incident and (ii) not later than forty-five (45) days after the date of expiration or termination of the Paragon subscription. A separate Incident Report must be submitted for each Incident.
The Incident Report must be in compliance with the forensics framework described in the National Institute of Standards and Technology’s “Computer Security Incident Handling Guide” (NIST 800-61 rev2) found here:
http://dx.doi.org/10.6028/NIST.SP.800-61r2, or a comparable control in an industry accepted framework such as (i) PCI 12.10, (ii) ISO IEC 27002:2013 – Chapter 16 or (iii) COBIT PO9.
Prior to payment of any claims, at its own expense, AsTech reserves the right to (i) have an Incident response investigation performed by an independent third-party firm or (ii) conduct its own such investigation. Customer agrees to provide reasonable assistance to AsTech or its designated agent during such investigation.
Customer agrees to use reasonable commercial efforts to notify AsTech within forty-eight (48) hours after Customer becomes aware of a Covered Vulnerability in a covered Application that has not been reported to Customer.
In the event of an Incident, in order to be eligible for the Payments:
Customer must be in compliance with the terms and conditions of the Service Agreement applicable to the Paragon subscription for the compromised Covered Application.
The Incident (i) must be the result of a Covered Vulnerability that AsTech is able to access within the source code provided by Customer prior to the date of such Incident and (ii) must not be the result of (1) a Covered Vulnerability that has been intentionally concealed within a covered Application by Customer personnel or (2) the gross negligence or willful misconduct of Customer personnel.
If Customer modifies a covered Application, at a minimum a differential security analysis must have been completed on such modified Covered Application prior to the date an Incident occurs. Customer must have provided source code to AsTech for the Covered Application within a timeframe set in the subscription agreement that allowed AsTech to perform a differential security analysis prior to the date of the Incident.
If an Incident is the result of the exploit of a Zero-Day Threat, such Incident must have occurred at least seventy-two (72) hours after a Common Weakness Enumeration ID (CWE – http://cwe.mitre.org/) or Common Vulnerabilities and Exposures ID (CVE – http://cve.mitre.org/) has been published for such Zero-Day Threat. For the purposes of these Paragon terms and conditions, a “Zero-Day Threat” is an attack that exploits a previously unknown vulnerability for which developers have not yet created a patch. Prior to the end of such seventy-two (72) hour period, AsTech may, in its sole discretion, determine that a Zero-Day Threat shall be considered a Covered Vulnerability upon written notice to Customer, which would render any Incident resulting from such Zero-Day Threat ineligible for the Payments. Customer acknowledges and agrees that AsTech may modify these Covered Terms to add such Zero-Day Threat to the Covered Vulnerabilities table below, and Customer shall be subject to such modified Covered Terms upon written notice via email or via other mechanism (notwithstanding any notification requirements to the contrary included in the Service Agreement).
If the alleged Incident is confirmed by AsTech or its appointed, independent third-party firm, or AsTech decides (in its sole discretion) not to perform an Incident response investigation (“Confirmed Incident”), then for each Paragon subscription that involves a Confirmed Incident, Customer shall be eligible for the Payments as follows:
Subscription Fee Refund: A refund of the remaining, unused portion (as of the date of a Confirmed Incident) of the Paragon subscription fee paid by Customer for the compromised Covered Application. Such refund may be redeemed as a refund of such fees, or a credit applied toward a future AsTech work order. Fee refunds will be processed within thirty (30) days after the date a Confirmed Incident has been validated by AsTech and credits will be applied to the next invoice for AsTech services.
Expense Reimbursement: Reimbursement of expenses incurred as a direct result of a Material Harm following a Confirmed Incident, up to a maximum amount not to exceed Five Million Dollars ($5,000,000) for each Covered Application, may be requested by Customer following a Confirmed Incident (“Expense Reimbursement Request”). Any such reimbursement will require Customer to provide AsTech with copies of applicable proof of payment (e.g. canceled checks or receipts) for the Expense Reimbursement Request, and AsTech has the right to contact the recipient of such payments and perform (at its own expense) an audit of Customer’s records related to any Expense Reimbursement Request. Customer may submit no more than one Expense Reimbursement Request for each Covered Application during the term of a Paragon subscription covering such affected Covered Application.
Customer’s sole and exclusive remedy for any Incidents and Material Harm will be the Payments described herein. Payments made to Customer pursuant to these Paragon terms shall not be considered an admission of responsibility for an Incident or any further liability. Customer is responsible for complying with all laws and regulations applicable to an Incident and AsTech will not be responsible for any liability or expense related to such laws and regulations. A claim submitted by Customer will have no impact on the Service Agreement. Customer acknowledges and agrees that each Paragon subscription will terminate at the end of the subscription period referenced on the applicable Service Order and will not be subject to any auto renewal provision contained in the Service Agreement or any Service Order under such Service Agreement.
For the purposes of the Paragon service described herein, a breach as described above due to a vulnerability included in the list below (“Covered Vulnerability”) shall be eligible for the Payments.